The Spring team has open-sourced the nohttp project to find, replace, and block the use of http://.
The project aims to avoid using http:// when https:// is available, ensuring that man-in-the-middle attacks do not occur.
ROB WINCH, the lead for Spring Security, Session, and LDAP projects, pointed out that the Spring team is making every effort to update all URLs to use HTTPS, including project Maven repository URLs, Apache License, and documentation links.
However, there are cases where HTTPS cannot be used, such as when certain sites linked by Spring do not support HTTPS, or when XML namespace identifiers must match those in the document.
The Spring Framework has now been updated to resolve XML locations using HTTPS from the classpath. Previously, this only applied to URLs using HTTP.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
https://www.springframework.org/schema/beans/spring-beans.xsd">
Above
https://www.springframework.org/schema/beans/spring-beans.xsd
URLs are resolved through the classpath without requiring a network connection.
In this case, the XML namespace name (identifier) cannot be changed to use HTTPS. From a security control perspective, this is not ideal, but since it does not involve network requests, it poses almost no harm to users.
On the other hand, ROB stated that the Spring team has updated all hosts to ensure the use of HTTPS, with each site supporting HTTPS, redirecting to HTTPS, and using Strict Transport Security.
If you are preparing for an interview soon, I recommend practicing online at ddkk.com, which covers over 10,000 Java interview questions, almost all mainstream technical interview topics, and offers the most comprehensive set of 500 technical tutorials for free.
Previously potential man-in-the-middle attacks meant that the infrastructure could have been compromised, which is why Spring has rebuilt all build infrastructure and rotated all credentials.
These security measures are crucial, but ROB emphasized that having security controls in place is also important to ensure that issues do not recur. Thus, the team updated the build box to block HTTP traffic and created the nohttp project to protect developers and users.
nohttp can be used to find, replace, and block the use of http://
The project repository includes several major modules:
nohttp – Core, allows finding and replacing http:// URLs
nohttp-cli – Lightweight nohttp wrapper for command-line execution
nohttp-checkstyle – nohttp integrated with checkstyle
nohttp-gradle – nohttp integrated with Gradle
samples – Some nohttp use cases
For more details, see the project introduction:
https://github.com/spring-io/nohttp
If you like this article, please click the top right corner to share it with your friends.If there are any technical points you would like to learn about, please leave a message for Ruofei to arrange a sharing session.
Due to changes in the public account’s push rules, please click “View” and add “Star”to get exciting technical shares as soon as possible.
·END·
Related articles:
- Understanding Microservices Architecture in One Picture
- Analysis of Microservices Architecture Based on Spring Cloud
- Are Microservices Equal to Spring Cloud? Understanding Microservices Architecture and Frameworks
- How to Build Microservices Based on DDD (Domain-Driven Design)?
-
Is a Small Team Really Suitable for Introducing Spring Cloud Microservices?
-
The Reasons for the Rise of DDD and Its Relationship with Microservices
-
The Best Ways to Call Between Microservices
-
Summary of Microservices Architecture Design Practices
-
Design and Implementation of Microservices Projects Based on Kubernetes
-
Microservices Architecture – Design Summary
-
Why Must Microservices Have a Gateway?
-
The Battle of Mainstream Microservices Full-Chain Monitoring Systems
- Detailed Explanation of Microservices Architecture Implementation Principles
- Introduction to Microservices and Technology Stack
- Solutions for Data Consistency in Microservices Scenarios
- Designing a Fault-Tolerant Microservices Architecture
Author:A Bowl of Cuties
Source:blog.csdn.net/ybulingbuling/article/details/99682361
Copyright Statement: Content sourced from the internet, for learning and research purposes only, copyright belongs to the original author. If there is any infringement, please inform us, and we will delete it immediately and apologize. Thank you!
Architect
We are all architects!
Follow Architect (JiaGouX), add “Star”
Get daily technical insights and become an excellent architect together
For technical groups, pleaseadd Ruofei:1321113940 to join the architect group
For submissions, collaborations, copyright, etc., please email:[email protected]